class ProtobufRunner(FuzzObject): def __init__(self, pb2_api, name='ProtobufRunner', logger=None): super(ProtobufRunner, self).__init__(name, logger) self.pb2_api = pb2_api self.config = ConfigParser() self.target_host = self.config.get_target_host_name() self.target_port = self.config.get_target_port() self.frmu = FrameworkUtils() def run_proto(self) -> None: """ kitty low level field model https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html """ js = ext_json.dict_to_JsonObject(dict(self.pb2_api[0]['Messages']), 'api') template_a = Template(name='Api', fields=js) self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare ProtobufTarget ") target = ProtobufTarget('ProtobufTarget', host=self.target_host, port=self.target_port, max_retries=10, timeout=None, pb2_module=self.pb2_api[1]) self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare ProtobufController ") controller = ProtobufController('ProtobufController', host=self.target_host, port=self.target_port) target.set_controller(controller) #target.set_expect_response('true') self.logger.info(f"[{time.strftime('%H:%M:%S')}] Defining GraphModel") model = GraphModel() model.connect(template_a) self.logger.info(f"[{time.strftime('%H:%M:%S')}] Prepare Server Fuzzer ") fuzzer = ServerFuzzer() fuzzer.set_interface(WebInterface(port=26001)) fuzzer.set_model(model) fuzzer.set_target(target) fuzzer.start() self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer") self.logger.info(f"[Further info are in the related Kitty log output!]") six.moves.input('press enter to exit') self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session") fuzzer.stop()
class HttpTarget(ServerTarget): """ HttpTarget is implementation of a TCP target for the ServerFuzzer """ def __init__(self, name, host, port, max_retries=10, timeout=None, logger=None) -> object: """ :param name: name of the target :param host: host ip (to send data to) currently unused :param port: port to send to :param max_retries: maximum connection retries (default: 10) :param timeout: socket timeout (default: None) :param logger: logger for the object (default: None) """ super(HttpTarget, self).__init__(name, logger) self.host = host self.port = port if (host is None) or (port is None): raise ValueError('host and port may not be None') self.timeout = timeout self.socket = None self.max_retries = max_retries self.config = ConfigParser() self.use_tls = self.config.get_tls() self.target_host = self.config.get_target_host_name() self.report = Report('report') self._uuid = GenerateUUID.generate_uuid() def pre_test(self, test_num=str) -> None: """Katnip original method.""" super(HttpTarget, self).pre_test(test_num) retry_count = 0 while self.socket is None and retry_count < self.max_retries: sock = self._get_socket() if self.timeout is not None: sock.settimeout(self.timeout) try: retry_count += 1 sock.connect((self.host, self.port)) self.socket = sock except Exception: sock.close() self.logger.error(f"Error: {traceback.format_exc()}") self.logger.error( f"Failed to connect to target server, retrying...") time.sleep(1) if self.socket is None: raise (KittyException( 'TCPTarget: (pre_test) cannot connect to server (retries = %d' % retry_count)) def _get_socket(self) -> socket: """ Katnip original method. Get a Socket object. Extended with Python3.x TLS socket wrapper """ if self.use_tls: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) socket_handler = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket_wraped = ssl.create_default_context().wrap_socket( socket_handler, server_hostname=self.target_host) return socket_wraped elif not self.use_tls: return socket.socket(socket.AF_INET, socket.SOCK_STREAM) def post_test(self, test_num=str) -> None: """Katnip original method.""" super(HttpTarget, self).post_test(test_num) if self.socket is not None: self.socket.close() self.socket = None if self.report.get('status') != Report.PASSED: if not os.path.exists(os.getcwd() + '/results/'): os.makedirs(os.getcwd() + '/results/') test_num = self.report.get('test_number') with open(os.getcwd() + '/results/{}-result-http-{}.json'.format( test_num, str(self._uuid)), 'w', encoding='utf-8') as file: json.dump(self.report.to_dict(), file, ensure_ascii=False, indent=4) file.close() def _raw_data(self, data=bytes) -> None: """Convert bytes data to UTF-8""" try: self.logger.info(f"Data sent: {data.decode('utf-8')}") except UnicodeDecodeError as err: """ UnicodeDecodeError: 'utf-8' codec can't decode byte 0xfe in position 14: invalid start byte Fuzzer transform data so I have to log the bytes format. """ self.logger.info(f"Data sent: {data}, error {err}") def _send_to_target(self, data=bytes) -> None: self._raw_data(data) self.socket.send(data) def _receive_from_target(self) -> bytes: return self.socket.recv(10000) def transmit(self, payload): """ This is the original transmit method from ServerTarget overwritten with special cases such as 40X or 50X according to the aim of the test. According to https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/500 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported 506 Variant Also Negotiates 507 Insufficient Storage 508 Loop Detected 510 Not Extended 511 Network Authentication Required Original method docstring: Transmit single payload, and receive response, if expected. The actual implementation of the send/receive should be in ``_send_to_target`` and ``_receive_from_target``. :type payload: str :param payload: payload to send :rtype: str :return: the response (if received) """ SERVER_50x_CODES = [ '500 Internal Server Error', '501 Not Implemented', '502 Bad Gateway', '503 Service Unavailable', '504 Gateway Timeout', '505 HTTP Version Not Supported', '506 Variant Also Negotiates', '507 Insufficient Storage', '508 Loop Detected', '510 Not Extended', '511 Network Authentication Required' ] SERVER_40xCODES = [ '400 Bad Request', '401 Unauthorized', '402 Payment Required', '403 Forbidden', '404 Not Found', '405 Method Not Allowed', '406 Not Acceptable', '407 Proxy Authentication Required', '408 Request Timeout', '409 Conflict', '410 Gone', '411 Length Required', '412 Precondition Failed', '413 Payload Too Large', '414 URI Too Long', '415 Unsupported Media Type', '416 Range Not Satisfiable', '417 Expectation Failed', '422 Unprocessable Entity', '425 Too Early', '426 Upgrade Required', '428 Precondition Required', '429 Too Many Requests', '431 Request Header Fields Too Large', '451 Unavailable For Legal Reasons' ] response = None trans_report_name = 'transmission_0x%04x' % self.transmission_count trans_report = Report(trans_report_name) self.transmission_report = trans_report self.report.add(trans_report_name, trans_report) try: trans_report.add('request (hex)', hexlify(payload).decode()) trans_report.add('request (raw)', '%s' % payload) trans_report.add('request length', len(payload)) trans_report.add('request time', time.time()) request = hexlify(payload).decode() request = request if len(request) < 100 else (request[:100] + ' ...') self.logger.info('request(%d): %s' % (len(payload), request)) self._send_to_target(payload) trans_report.success() if self.expect_response: try: response = self._receive_from_target() trans_report.add('response time', time.time()) trans_report.add('response (hex)', hexlify(response).decode()) trans_report.add('response (raw)', '%s' % response) trans_report.add('response length', len(response)) trans_report.add('Session ID', str(self._uuid)) printed_response = hexlify(response).decode() printed_response = printed_response if len( printed_response) < 100 else (printed_response[:100] + ' ...') self.logger.info( f"response{len(response)}: {printed_response}") self.logger.debug(response.decode('utf-8')) string_response = response.decode('utf-8') response_code_string = string_response.splitlines()[0] response_code = response_code_string.replace( 'HTTP/1.1 ', '') if response_code in SERVER_40xCODES or response_code in SERVER_50x_CODES: self.logger.info( f"response failure {response.decode('utf-8')}") trans_report.failed('Failure in HTTP response.') trans_report.add('Response', response.decode('utf-8')) self.report.set_status('failed') self.receive_failure = True except Exception as ex2: trans_report.failed('failed to receive response: %s' % ex2) trans_report.add('traceback', traceback.format_exc()) self.logger.error( f"target.transmit - failure in receive (exception: {ex2})" ) self.logger.error(traceback.format_exc()) self.receive_failure = True else: response = '' except Exception as ex1: trans_report.failed(f"failed to send payload: {ex1}") trans_report.add('traceback', traceback.format_exc()) self.logger.error( f"target.transmit - failure in send (exception: {ex1})") self.logger.error(traceback.format_exc()) self.send_failure = True self.transmission_count += 1 return response
class HttpRunner(FuzzObject): """ HttpRunner class created according to the Kitty/Katnip API documentations. The class is a part of the Fuzzer Framework. """ def __init__(self, name='HttpRunner', logger=None) -> object: """ HttpRunner constructor :param name: the name of the class :param logger: logger from the framework """ super(HttpRunner, self).__init__(name, logger) self.config = ConfigParser() self.target_host = self.config.get_target_host_name() self.target_port = self.config.get_target_port() self.http_get = self.config.get_http_get_method() self.http_post_put = self.config.get_http_post_put_method() self.http_post_update = self.config.get_http_post_update_method() self.http_delete = self.config.get_http_delete_method() self.http_fuzz_protocol = self.config.get_http_fuzz_protocol() self.http_path = self.config.get_http_path() self.http_content_type = self.config.get_http_content_type() self.http_payload = self.config.get_http_payload() self.gen_uuid = GenerateUUID.generate_uuid() def run_http(self) -> None: """ This method provides the HTTP GET, POST, ... , templating for the HTTP header as fields, data provided by the config, explained in the User Documentation. kitty low level field model https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html :returns: None :rtype: None """ http_template = None # HTTP GET TEMPLATE self.logger.info( f"[{time.strftime('%H:%M:%S')}] Initiate template for HTTP GET ..." ) if self.http_get: http_template = Template( name='HTTP_GET', fields=[ # GET / HTTP/1.1 String('GET', name='method', fuzzable=False), Delimiter(' ', name='delimiter-1', fuzzable=False), String(self.http_path, name='path'), Delimiter(' ', name='delimiter-2', fuzzable=self.http_fuzz_protocol), String('HTTP', name='protocol name', fuzzable=self.http_fuzz_protocol), Delimiter('/', name='fws-1', fuzzable=self.http_fuzz_protocol), Dword(1, name='major version', encoder=ENC_INT_DEC, fuzzable=self.http_fuzz_protocol), Delimiter('.', name='dot-1', fuzzable=self.http_fuzz_protocol), Dword(1, name='minor version', encoder=ENC_INT_DEC, fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-1'), # User agent String('User-Agent:', name='user_agent_field', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-3', fuzzable=self.http_fuzz_protocol), String('Fuzzer', name='user-agent_name', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-2'), # Token generated by framework to support following the session if necessary. String('Fuzzer-Token:', name='fuzzer_token', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-4', fuzzable=self.http_fuzz_protocol), String(str(self.gen_uuid), name='fuzzer_token_type', fuzzable=False), # do not fuzz token Static('\r\n', name='EOL-3'), # Accept String('Accept:', name='accept', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-5', fuzzable=self.http_fuzz_protocol), String('*/*', name='accept_type_', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-4'), # Cache-control no-cache by default String('Cache-Control:', name='cache-control', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-6', fuzzable=self.http_fuzz_protocol), String('no-cache', name='cache_control_type', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-5'), # Host, the target host String('Host:', name='host_name', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-7', fuzzable=self.http_fuzz_protocol), String(self.target_host, name='target_host', fuzzable=False), # do not fuzz target host address! Static('\r\n', name='EOL-6'), # Connection close, do not use keep-alive it results only one mutation, than the # fuzzer will hang. String('Connection:', name='accept_encoding', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-8', fuzzable=self.http_fuzz_protocol), String('close', name='accept_encoding_types', fuzzable=False), # do not fuzz this field! Static('\r\n', name='EOM-7'), # Content-type from config. String('Content-Type:', name='Content-Type', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-9', fuzzable=self.http_fuzz_protocol), String(self.http_content_type, name='content_type_', fuzzable=self.http_fuzz_protocol), Static('\r\n\r\n', name='EOM-8') ]) if self.http_post_put: self.logger.info( f"[{time.strftime('%H:%M:%S')}] Initiate template for HTTP POST ..." ) http_template = Template( name='HTTP_POST', fields=[ # POST / HTTP/1.1 String('POST', name='method', fuzzable=False), Delimiter(' ', name='delimiter-1', fuzzable=False), String(self.http_path, name='path'), Delimiter(' ', name='delimiter-2', fuzzable=self.http_fuzz_protocol), String('HTTP', name='protocol name', fuzzable=self.http_fuzz_protocol), Delimiter('/', name='fws-1', fuzzable=self.http_fuzz_protocol), Dword(1, name='major version', encoder=ENC_INT_DEC, fuzzable=self.http_fuzz_protocol), Delimiter('.', name='dot-1', fuzzable=self.http_fuzz_protocol), Dword(1, name='minor version', encoder=ENC_INT_DEC, fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-1'), # User agent String('User-Agent:', name='user_agent_field', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-3', fuzzable=self.http_fuzz_protocol), String('Fuzzer', name='user-agent_name', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-2'), # Token generated by framework to support following the session if necessary. String('Fuzzer-Token:', name='fuzzer_token', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-4', fuzzable=self.http_fuzz_protocol), String(str(self.gen_uuid), name='fuzzer_token_type', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-3'), # Accept String('Accept:', name='accept', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-5', fuzzable=self.http_fuzz_protocol), String('*/*', name='accept_type_', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-4'), # Cache-control no-cache by default String('Cache-Control:', name='cache-control', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-6', fuzzable=self.http_fuzz_protocol), String('no-cache', name='cache_control_type', fuzzable=self.http_fuzz_protocol), Static('\r\n', name='EOL-5'), # Host, the target host String('Host:', name='host_name', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-7', fuzzable=self.http_fuzz_protocol), String(self.target_host, name='target_host', fuzzable=False), # do not fuzz target host address! Static('\r\n', name='EOL-6'), # Content length: obvious payload lenght. String('Content-Length:', name='content_length', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-9', fuzzable=self.http_fuzz_protocol), String(str(len(self.http_payload)), name='content_length_len', fuzzable=False), Static('\r\n', name='EOM-8'), # Connection close, do not use keep-alive it results only one mutation, than the # fuzzer will hang. String('Connection:', name='accept_encoding', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-8', fuzzable=self.http_fuzz_protocol), String('close', name='accept_encoding_types', fuzzable=False), # do not fuzz this field! Static('\r\n', name='EOM-7'), # Content type String('Content-Type:', name='Content-Type', fuzzable=self.http_fuzz_protocol), Delimiter(' ', name='delimiter-10', fuzzable=self.http_fuzz_protocol), String(self.http_content_type, name='content_type_', fuzzable=self.http_fuzz_protocol), Static('\n\r\n', name='EOM-9'), # Payload String(self.http_payload, name='payload'), Static('\r\n\r\n', name='EOM-10') ]) self.logger.info( f"[{time.strftime('%H:%M:%S')}] Prepare HttpTarget ...") target = HttpTarget(name='HttpTarget', host=self.target_host, port=self.target_port, max_retries=10, timeout=None) target.set_expect_response('true') self.logger.info( f"[{time.strftime('%H:%M:%S')}] Prepare HttpController ...") controller = HttpGetController('HttpGetController', host=self.target_host, port=self.target_port) target.set_controller(controller) self.logger.info( f"[{time.strftime('%H:%M:%S')}] Defining GraphModel...") model = GraphModel() model.connect(http_template) fuzzer = ServerFuzzer() fuzzer.set_interface(WebInterface(port=26001)) fuzzer.set_model(model) fuzzer.set_target(target) fuzzer.set_delay_between_tests(1) self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer...") self.logger.info( f"[Further info are in the related Kitty log output!]") fuzzer.start() self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session") fuzzer.stop()
class DnsRunner(FuzzObject): def __init__(self, name='DnsRunner', logger=None): super(DnsRunner, self).__init__(name, logger) self.config = ConfigParser() self.target_host = self.config.get_target_host_name() self.target_port = self.config.get_target_port() self.timeout = self.config.get_dns_timout() self.tld = self.config.get_dns_tld() self.default_labels = self.config.get_dns_default_labels() def run_dns(self): """ kitty low level field model https://kitty.readthedocs.io/en/latest/kitty.model.low_level.field.html """ fields = [] counter = 0 dns_label_length = len(self.default_labels.split('.')) dns_label_list = self.default_labels.split('.') self.logger.info( f"[{time.strftime('%H:%M:%S')}] Initiate template for DNS ...") while counter < dns_label_length: fields.append( String(dns_label_list[counter], name='sub_domain_' + str(counter), max_size=10)) fields.append(Delimiter('.', name='delimiter_' + str(counter))) counter += 1 fields.append(String(self.tld, name='tld', fuzzable=False)) dns_query = Template(name='DNS_QUERY', fields=fields) """ dns_query = Template(name='DNS_QUERY', fields=[ String('r', name='sub_domain', max_size=10), Delimiter('.', name='space1"), String('rf', name='sub_domain2', max_size=10), Delimiter('.', name='space2"), String(self.tld, name='tld', fuzzable=False), ]) """ # define target, in this case this is SslTarget because of HTTPS self.logger.info( f"[{time.strftime('%H:%M:%S')}] Prepare DnsTarget ...") target = DnsTarget(name='DnsTarget', host=self.target_host, port=self.target_port, timeout=self.timeout) target.set_expect_response('true') self.logger.info( f"[{time.strftime('%H:%M:%S')}] Prepare DnsController ...") controller = DnsController('DnsController', host=self.target_host, port=self.target_port) target.set_controller(controller) # Define model self.logger.info( f"[{time.strftime('%H:%M:%S')}] Defining GraphModel...") model = GraphModel() model.connect(dns_query) self.logger.info( f"[{time.strftime('%H:%M:%S')}] Prepare Server Fuzzer ...") fuzzer = ServerFuzzer() fuzzer.set_interface(WebInterface(port=26001)) fuzzer.set_model(model) fuzzer.set_target(target) fuzzer.set_delay_between_tests(1) self.logger.info(f"[{time.strftime('%H:%M:%S')}] Start Fuzzer...") self.logger.info( f"[Further info are in the related Kitty log output!]") fuzzer.start() self.logger.info(f"[{time.strftime('%H:%M:%S')}] End Fuzzer Session") fuzzer.stop()